Various techniques exist to achieve an end-to-end security between two communicating endpoints, e.g. a client node and a server node. When one, or both, of the communicating endpoints reside in a datacenter the communication path between them comprises a number of network elements, in particular intermediate nodes (e.g. switches, routers, gateways and other middleboxes) that are part of the datacenter's network. Some of the data flows destined to e.g. public web services do not use any security or authentication at all, and the intermediate nodes allow such flows to pass through. However, some data flows, particularly destined to critical services are authenticated, for instance based on public-key technology. The authentication often occurs at the endpoints that terminate the connection, but sometimes also the intermediate nodes are involved in the authentication process.
As an example of a purely end-to-end authentication, Secure Shell (SSH) protocol is used to establish a terminal session or file transfer session from a client to a server. As an example of an end-to-middle authentication, web-based authentication is typically separated from the actual web service in protocols such as OAuth (an open standard for authorization) providing a delegated access, or Shibboleth. In such a case, the host responsible of the authentication, an Identity Provider (IdP), is located off the communications path between the client and the server.
Virtual Private Network (VPN) services are also implemented using end-to-middle authentication, but in this case the authentication middlebox, a VPN gateway, is always located on the communication path between the client and server because it terminates the security tunnel between the client and VPN gateway.
Firewalls may be used as an alternative or complement to the various security mechanisms. Firewalls filter packets based on location-dependent identifiers at the lower layers, typically based on Internet Protocol (IP) addresses. For instance, a firewall may allow only certain IP address ranges to thereby control the access to a service. Firewall-like functionality may also be included in switches, for instance, a switch may be firewalled so that only specific Media Access Control (MAC) addresses are allowed to pass through its ports. Alternatively, such functionality can be implemented at switches or routers by isolating different ports of a switch from each other using Virtual LAN (VLAN) tags, hence allowing traffic only to/from certain ports. It should be noted that the switches and other intermediate nodes are not necessarily physical devices, but can be virtualized, especially in datacenters.
In order to enable communication between endpoints, the intermediate nodes need to allow and forward network traffic between the endpoints. A number of protocols for automating the configuration of intermediate nodes, e.g. middleboxes, exist, such as Universal Plug and Play (UPnP), Open Shortest Path First (OSPF), Border Gateway Protocol (BGP), Simple Network Management Protocol (SNMP), Network Configuration Protocol (Netconf), Path Computation Element Communication Protocol (PCEP) and Open vSwitch Database Management Protocol (OVSDB).
Software Defined Networking (SDN) is a paradigm that decouples network control (using a control plane) from forwarding functions (realized by a data plane). This paradigm hence requires a way for the control plane to communicate with the data plane. As an example of such a way, OpenFlow protocol support logically centralized control of intermediate nodes (i.e. middleboxes). The OpenFlow protocol can be used to determine a dynamic path of network packets through the network, and to enforce access control at the intermediate nodes.
Hardware-based intermediate nodes, such as switches and routers, located in a datacenter have little or no means to protect their services against unauthorized access or Distributed Denial of Service (DDoS) attacks. The services have to protect themselves because legacy intermediate nodes offer only coarse-grained methods to protect the services, such as for instance the mentioned examples of allowing only certain transport-layer ports, IP addresses or ranges, MAC addresses or VLAN tags. However, these methods are usually bound to location-based identifiers, which makes them inconvenient in for instance scenarios involving mobile clients or services that migrate between different networks. In particular, the mobile client (or server) will obtain a new identifier for each visited location, and the intermediate nodes are not aware of these identifiers. Any preconfigured rules will then not match the identity of the mobile client (or mobile server).
Cost-efficient, physical commodity intermediate nodes (e.g. middleboxes) do not usually inspect application-layer traffic because such Deep Packet Inspection (DPI) requires specialized hardware in order to avoid degraded performance. On the other hand, specialized hardware and virtualized intermediate nodes (e.g. middleboxes) can support DPI to inspect network traffic. In such a case, the intermediate nodes (e.g. middleboxes) usually mirror the traffic to a logically centralized collection point. A challenge in this regard is that the amount of traffic can be overly large and intelligent strategies are needed to find the essential information in real time.